Privacy Policy

Version 1.0 — Effective date: 2025-01-01

1. Data controller

CRESHDO is operated by [Operator — legal entity and contact address to be filled before launch]. For data protection enquiries, contact: [dpo@creshdo.example.com — placeholder].

2. What data we collect

We collect the following categories of data:

  • Account data: email address (stored encrypted at rest), password hash (argon2).
  • Demographic profile: date of birth, biological sex, skin type (Fitzpatrick I–VI), weight (kg), height (cm), timezone.
  • Protocol enrolment data: which protocols you enrol in, your enrolment status, notes, and a snapshot of your profile at enrolment time.
  • Check-in data: daily adherence records, outcome scores, free-text notes.
  • Photos: body region photos uploaded for longitudinal comparison. Stored in S3-compatible object storage with server-side encryption. Accessible only via short-lived pre-signed URLs.
  • Lab values: biomarker values entered manually, including test dates and reference ranges.
  • Adverse events: self-reported adverse events including severity, category, and outcome.
  • Health conditions and medications: free-text fields for relevant medical history (optional).
  • Consent records: immutable log of all consent actions (type, granted/withdrawn, timestamp, policy version, IP address, user-agent).
  • Technical data: IP address (for consent logging only), user-agent string.

3. Purpose and lawful basis

We process your data for three distinct purposes, each with a separate lawful basis:

  1. Platform functionality — providing your personal dashboard, check-in tracking, photo timeline, lab value charts, and account management. Lawful basis: explicit consent (GDPR Art. 6(1)(a)).
  2. Aggregate research analytics — including your pseudonymised data in aggregate statistics and research datasets visible to other users. This is per-enrolment and optional. Lawful basis: explicit consent (GDPR Art. 6(1)(a)). You may decline or withdraw per enrolment.
  3. Email communications — sending check-in reminders and platform notifications. Lawful basis: explicit consent (GDPR Art. 6(1)(a)). Optional; you may withdraw at any time in your profile.

4. Health data (GDPR Article 9)

CRESHDO processes special category data — specifically health-related data including conditions, medications, lab values, adverse events, and photos — on the basis of your explicit consent under GDPR Art. 9(2)(a). You provided this consent at registration by accepting the platform consent checkbox. You may withdraw consent by deleting your account (see Section 7).

5. Data retention

Your data is retained for as long as your account exists. Upon account deletion, all personal data is hard-deleted within 30 days. This includes: check-ins, outcome measures, photos (including S3 objects), lab results, adverse events, protocol enrolments, and consent logs.

Important limitation: Pre-computed aggregate summaries that have already incorporated your data are not retroactively recomputed. Anonymised data that has been included in published research datasets cannot be retroactively removed. This is an inherent limitation of aggregate research and is disclosed here. By granting research data contribution consent, you acknowledge this limitation.

6. Data sharing

  • Your data is never sold to third parties.
  • Pseudonymised (UUID-only, no email or name) aggregate data may be included in published research datasets if you have granted research contribution consent.
  • Photos are never included in public datasets without separate explicit consent (not implemented in v1 — photos are excluded from all exports).
  • We may share data with infrastructure providers (hosting, object storage) under appropriate data processing agreements.

7. Your rights

Under GDPR, you have the following rights. You can exercise them via your profile page or by contacting us.

  • Right of access — export all your data as JSON or CSV (data export feature).
  • Right to rectification — edit your profile and check-in data at any time.
  • Right to erasure — delete your account to hard-delete all your personal data (with password confirmation). Aggregate summaries already computed are not retroactively removed (see Section 5).
  • Right to withdraw consent — withdraw communication consent or research contribution consent at any time in your profile or enrolment settings. Withdrawing platform consent requires account deletion.
  • Right to data portability — export your data in machine-readable JSON or CSV format.

8. Security measures

  • Email addresses stored encrypted at rest.
  • Passwords hashed with argon2 (no plaintext storage).
  • All data in transit encrypted with TLS.
  • S3 object storage encrypted at rest; access via pre-signed short-lived URLs only.
  • Role-based access controls; admin endpoints require explicit role check.
  • JWT authentication with short expiry.

9. International transfers

If the platform is hosted within the EU/EEA, data does not leave the EU/EEA. If hosted outside the EU/EEA, Standard Contractual Clauses (SCCs) will be put in place before launch. [TODO: confirm hosting location before launch]

10. Contact

For data protection queries or to exercise your rights, contact: [dpo@creshdo.example.com — placeholder]. We will respond within 30 days.

← Back to CRESHDO